- Make an initial assessment of the extent of the breach.
- Decide, in consultation with Elite Care Homes’ management, who will carry out further investigation of the causes and likely impact of the incident.
- Decide if it is of a level of seriousness that requires notification to the ICO (is there a risk to people’s rights and freedoms?) or the police (has the data been compromised/stolen by a criminal act?).
- Establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.
[Note: If it is decided that the breach is not of a level of seriousness that would require it to be reported, Elite Care Homes will document and retain any evidence which justified this decision.]
Risk Assessment
The person responsible for carrying out the investigation into a data breach will, within the first 24 hours (if possible), carry out an initial assessment of the extent of potential harm. This will focus on:
- The type of data involved and its level of sensitivity
- The volume of data stolen, copied or compromised
- The number of data subjects involved (that is, the persons affected or likely to be affected)
- The individuals/organisations that carried out the breach (if known)
- The extent to which the files involved were encrypted or password-protected.
Information to be Supplied
If it is decided that a serious breach has occurred that must be reported to the ICO, the following information will be made available:
- A description of the nature of the personal data breach including, where possible, the categories and approximate number of individuals concerned.
- The categories and approximate number of personal data records concerned.
- The name and contact details of the DPO or the person chosen to liaise with the authorities.
- A description of the likely consequences of the personal data breach
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
[Note: It is accepted that organisations may not be able to carry out all the necessary checks, or to supply all the required information, within the laid-down 72-hour period. It is important, however, that initial contact is made within that period, even if it is only to explain why there will be a delay in supplying full details. In this event, Elite Care Homes should emphasise that it has made dealing with the breach a priority and is devoting all possible resources to the investigation. If in doubt, call the ICO helpline: 0303 123 1113.]
Levels of Seriousness
When deciding whether a breach is sufficiently serious to be notified to the ICO, the following points should be borne in mind:
- Is there a high risk of it adversely affecting the rights of data subjects?
- Would notification enable them or others on their behalf to take mitigating action?
- Would notification help to prevent the unauthorised or unlawful use of the data concerned?
- Does Elite Care Homes have a contractual duty to take such action?
[Note: Not all breaches will merit being reported to the authorities, but in all cases the persons affected should be informed of how and when the breach occurred, what has been done to correct the situation and what they may wish to do to further safeguard themselves. A contact within Elite Care Homes must be provided so that those affected have access to further information.]
Further Action
During the aftermath of a breach, in the reporting and investigation stages, the required information should not only be gathered and supplied as appropriate but should also be recorded. This should form the basis of a final report into the breach, to be prepared by the DPO or the person responsible for data protection, which will be considered at the highest level within Elite Care Homes (board, senior management, owner, etc).
This report should include recommendations for remedial action and improvements in Elite Care Homes’ data protection policy as appropriate and should consider the need for further training of relevant staff.
Review
This policy will be reviewed annually or more frequently in line with changes to the national guidance and strategies on the provision of accessible information.